Hi, I have spent more than two weeks to find out the main bells and whistles of deploying Linux machine as Samba server in MS W2K3 AD environment, so I would like to share my experience here. I suppose, this could help to add some important details to the previous postings in this thread and to summarize the whole process. As I am not an expert in this area, I still do not understand thoroughly many relevant things, so please be tolerant.

Installation goals:
* use Kerberos for user authentication to the system and for access to the samba shared directories
* use encrypted access to the LDAP interface of the MS Active Directory

LDAP browser - for accessing the AD through ldap and viewing information stored there (you can see the same iformation in the MS ADSI Editor, too) You can use it to check directory structure and reading/editing of the information stored there. I am using the java LDAP browser from this page:
http://www.iit.edu/~gawojar/ldap/
Unfortunatelly, this browser doesn't play well wit the blackdown-jdk, but works fine with the sun-jdk.

strace (dev-util/strace) - debugging utility, which intercepts and records the system calls called by a process and the signals which are received by a process. For example, to find out, which files are opened during execution of the getent passwd command, you can use this command:

Code:

strace -e open getent passwd

Windows Software
Microsoft Services For Unix, or SFU (current version is 3.5). You can download this software (approx. 350MB) on this site:

(You have to be registered on the MS .net passport before downloading.) In previous posts, there was recommended the AD4UNIX software, but it seems to be abandoned now, while the MS SFU is for free now and still developping.

During the installation of the MS SFU choose only the "Server for NIS" option. This will extend the AD schema and install the MMC snap-in (similar to the AD4UNIX one). Verify, that you are able to create users with UNIX attributes and inspect those users from the LDAP side. When the installation is finished and the server is restarted, you can test functionality of the SFU MMC snap-in and verify the SFU attributes in the LDAP browser. As the NIS server will not be needed, stop the Server for NIS service and chnge it's startup type to Manual.

Note: The Server for NIS service among other things performs password synchronization between the Kerberos and LDAP msSFU30Password attribute. Synchronized passwords are however truncated to the 8 characters and they aren't well encrypted - that's another reason to stop te Server for NIS service.

Needed packages to emerge:samba - make sure, that it's the 3.x version
openlssl - needed for ssl
openldap - we will need this for client ldap searches
cyrus-sasl - Simple Authentication and Security Layer - for basic encryption of ldap binds and searches
ntp - We will use the ntp-client for time synchronization (for proper Kerberos functioning)
mit-krb5 - the MIT Kerberos
pam - the Pluggable Authentication Module base
pam_krb5 - kerberos pam module (note, that pam_ldap module will not be needed). There are some problems to emerge the 1.0 version, see other posts on these forums. It seems to have problems with password change, too.
nss_ldap - LDAP module for name switch system (enables redirection of searches for users, groups, etc. to ldap)
Note: Make sure, that nss_ldap is compilled with the --enable-schema-mapping parameter enabled, otherwise it will be of no use here.

Gentoo Linux:
Hostname: Gent
DNS Name: gent.sfu.acme.com
IP address: 192.168.1.28
Configuration details:
* USE settings: kerberos ldap samba sasl ssl (set them in the /etc/make.conf; I recommend to use the ufed tool for this)
* ACCEPT_KEYWORDS="~x86" (set them in the /etc/make.conf, too) - in this way, the latest available packages for the intel platform will be installed.

Kerberos configuration
Before the Kerberos is configured, make sure, that you have synchronized local clock wth the ntp server. You can do it using the ntp-client module. It's configuration file is the /etc/conf.d/ntp-client.

Once you have a working Kerberos client configuation, you'll probably want to be able to log into your system using your Kerberos password. Since we don't have LDAP working yet, you should add a local entry for your username to the passwd and shadow files, but set your crypted password in /etc/shadow to *K*, the community standard to indicate that the password comes from Kerberos.

Kerberos principal and Kerberos keytab
Now, we need to create a Kerberos principal and corresponding keytab file for our Linux workstation on the Windows server. Let's choose one of Windows user accounts for this. There will be added the attribute Kerberos Service Principal for the Linux computer to this user account.

BEWARE: It is not tolerable to create Kerberos Service Principal with the same name in more user accounts. In such case, Kerberos would not be able to authenticate it correctly.

Following command has to performed for each Linux computer on a different user account:

Automatic updating of the Kerberos ticket
Let's now create a script for automatic update of the Kerberos ticket for the LDAP. After the command execution, the root's Kerberos ticket cache (/tmp/krb5cc_0) will be updated.

Check the results of this script. You can use the klist command to check the tickets in the Kerberos cache file. Note, that the default location of this file is /tmp/krb5cc_[uid] (here for the user root it is the file /tmp/krb5cc_0)

Furthermore, it is necessary to run the kerbinit.sh in the boot of the computer. In this way, the Linux computer will have a valid Kerberos ticket for the access to the LDAP. So let's add it to the /etc/conf.d/local.start file:

Code:

.
.
# This is a good place to load any misc.
# programs on startup ( 1>&2 )
sh /sbin/kerbinit.sh

LDAP configuration
Another important step is to make correct settings in the LDAP config file. In the Gentoo Linux there are actually two LDAP config files - /etc/ldap.conf and /etc/openldap/ldap.conf respectively. If you want to use only one file for the LDAP configuration, (in this case there is nothing wrong about that), you can make a symbolic link between them - as for example:

Code:

ln -s /etc/ldap.conf /etc/openldap/ldap.conf

You can also try to set a system variable to determine, which file will be used for the LDAP configuration (by adding relevant line to the /etc/env.d/00basic file)

In the ldap.conf file you can see lines beginning with "nss_map_attribute", which are used to map the internal unix attributes of users, groups, etc. to the attributes, available in the Active Directory after the expansion of it's schema by the MS Services for UNIX.

The lines beginning with "nss_base_passwd" and "nss_base_group" are determining the bases (or contexts in the LDAP tree), from which searches for users and groups are made. You can enter more than one base here. By the proper setting of the search bases, we can make LDAP searches more effective. Note, that if the nss_ldap was not compilled using the --enable-schema-mapping parameter, attributes mapping will not take place and the LDAP searches will be performed for the original unix parameters.

The lines containing the binddn, bindpw and rootbinddn (credentals for the authentifcation to the LDAP directory), are commented out here, as there will be used the Kerberos authentifcation.

The line beginning with scope determines, wheather the child parts of the LDAp contexts should be searched, too (sub - search in all sub-contexts, one - search only the current context).
Ending part of the ldap.conf file is containing settings for the sasl authentification (Simple Authentication and Security Layer) and basc encryption tls (Transport Layer Security).

To set up the ssl encryption, you have to make the Linux computer to trust the ssl certificate of the LDAP server, otherwise you can find the Unknown CA error message in the captured ssl handshake packets (use the Ethereal for it).

I am not sure, what is the proper procedure for making the Linux to trust to the ssl certificate. One of the promising solutions could be to copy the files named *.db from the working profile directory of the Mozilla browser to the /etc/ssl/certs directory. But first, you have to point the Mozilla to the secure LDAP port of the server and accept it's certificate permanently.

Testing LDAP access
You can test different modes of access to the LDAP directory using the ldapsearch command. Output of this command should be a list of LDAP objects (and their attributes), which are matched bz the LDAP request (in the following example it is the objectclass=user). In the beginning, try to enter most of the parameters explicitly on the command line - in this way the /etc/ldap.conf settings are bypassed. For debugging, you can also add the parameter -d N, where N is debug level (for example -d 5)

If your confguration file is correct, you can perform the same search without entering most of the parameters. Moreover, you can pipe it's output to the grep command, to write out only the lines containing for example the string msSFU30Name. In this way, the result will cotain only the lines containing login names of the matched users:

Code:

gent root # ldapsearch objectclass=user |grep msSFU30Name

The communication between the Linux computer and the LDAP serverem can be traced using the Ethereal. I am assuming, that Ethereal is run on the Windows server, as otherwise there is no need to install xfree on the Linux computer. It is convenient to filter captured packets in the Etherealu using the input filter - to capture only packets containing the ip address of the Linux computer:

Code:

ip host gent

You should investigate those packets to be sure, that there are no unencrypted data relating to the LDAP information in the packets. You can also check, if the LDAP bind is using the Kerberos authentication - by looking at the packet containing the bind request. Expand it's part named Lightweight Directory Access Protocol, Bind Request. If the Kerberos authentication was used, there should be present following sub-sections there:

GSS-API Token
GSS-API
krb5_blob
Kerberos
Ticket

In the Ticket section, you can also check parameters of the Kerberos ticket (Realm, Service Name, Name)

The Name Switch System

Now, it is necessary to configure the Linux system to look for the user and group information in the LDAP directory, too. This should be made in the /etc/nsswitch.conf file by adding the keyword ldap to the lines for passwd a group.

Note: The searches are made sequentially. Order of the searched databases is determined by their possition (from the left) on the line of the /etc/nsswitch.conf file. For example, if you put "passwd: files ldap" there, at first the /etc/passwd file is parsed and then a search is performed in the LDAP directory. The results of the search are reported in the same order.

You can test the functionality of the NSS by using for example the getent or id command:

The getent passwd command should print the list of users extracted from the /etc/passwd file, followed by the list of users acquired from the LDAP directory.

The PAM configuration

To be able to authenticate users via the Kerberos, you have to add the Kerberos authentication module to the PAM configuration files. There are several configuration files, their names are corresponding to the names of the programs, which are performing the user authentication. I am listing here the most common PAM configuration files. These files are located in the /etc/pam.d directory. So you should append the lines referring to the pam_krb5.so module.
Note: The sufficient control token is defining, that for a successful authentication it is sufficient to be authenticated by the specified pam module (even in a case, when authentication made by previous "required" modules failed). The try_first_pass parameter is instructing the pam module, that the password supplied to the previous pam module should be tried first. In this way, there will not be invoked another prompt for the password. To debug the pam modules, you can also add the debug parameter, which will cause loggig of the debug messages into log file (/var/log/auth.log).

The samba configuration
The samba configuration is located in the main configuration file /etc/samba/smb.conf. Following is the example of the smb.conf for the example MS network and the SFUSRV Windows 2K3 server.

After the successful executio of this command, you can check, if the Linux computer is present in the list of the domain computers in the MMC (Active Directory Users and Computers) on the Windows 2003 server .

Final configuration

In the end, the needed services and daemons should be added to the list of the services launched at startup at the Linux computer. You should add these:

* ntp-client - for the time synchroization
* samba - for sharing files via the SMB protocol
* nscd (Name Service Cache Daemon) - for alleviating the communication with the LDAP server and for speed-up of the LDAP searches

I have found one more useful tip to add to my previous post. It was presented on the Novell Brainshare conference last week.

To automatically create home directories for the AD users in the time of their first login, you can add the following line to the /etc/pam.d/system-auth file (most pam.d configuration files point back to the system-auth file):

To be honest, I'm not sure. I never though to use it that way. I did it so that I can listen to my mp3 collection from either my laptop or desktop. I don't see why it won't work. Obviously you can't see unix accounts from windows, but I don't see why setting up shares wouldn't work. I can test it next week. I can't this week because I'm leaving for NYC in two days to fill out paperwork for the NYPD and won't be home until Monday._________________Screw you guys, I'm going home...

Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf

Code:

passwd: compat winbind
shadow: compat
group: compat winbind

I can auth with kerberos and I can join the domain. Doing wbinfo -u doesn't work though.

One more question, by chance are you running nscd? If you are, you need to stop and disable it. Winbind will not work if nscd is running. If not please PM me your config files... the files I would like to see are:
/etc/krb5
/etc/smb.conf_________________Screw you guys, I'm going home...

I've been following the posts here, and getting info from www.samba.org and I can't get it to work.

All I need is for users logging in to a linux box to be authenticated via an active directory server.

I can connect with kerberos and I can join the domain, but I get an error when I do this:

Code:

# wbinfo -u
Error looking up domain users

I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.

-KsE

Did you find an sollution to this? I'm having the same problem._________________A bus station is where a bus stops, a train station is where a train stops. On
my desk I have a work station..
Nixadmins.net
FLUG member 473

# Separate domain and username with '+', like DOMAIN+username
[global]
netbios name = cwit2
# I recommend the same name as the server.
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
# Tweak this to get the best speed out of your connection
idmap uid = 10000-20000
# This is for mapping uids between linux server and AD
winbind enum users = yes
# This allows you to bind users.
winbind gid = 10000-20000
# This is for mapping gids between linux server and AD
workgroup = LANGROUP
# Change to match the NETBIOS name of the AD domain.
os level = 20
# This is for the master browser priority.
winbind enum groups = yes
# This allows you to use the Active Directory groups
# socket address = 1.2.3.4
# Change this to match the IP address or remove it to listen to all addresses.
password server = *
# I recommend this if you have more than one server; I do in my case.
preferred master = no
# You do NOT want to be a master browser.
winbind separator = +
# See the first line comment.
max log size = 50
# In K
log file = /var/log/samba3/log.%m
# This allows logging activities for each machine.
encrypt passwords = yes
# Active directory does NOT accept plaintext passwords.
dns proxy = no
# You don't want anything to do with DNS.
realm = SPARKS.CITY
# This is for kerberos.
security = ADS
# Active directory server provides security for the shared resources.
#wins server = 1.2.3.4
# Change to IP address of your installed WINS server
wins proxy = no
# You don't want to proxy WINS either.

# Shares section
[downloads] # Name of the share.
comment = downloads
# A comment...
writeable = yes
# If you want users to update the directory
path = /home/jason/Downloads
# Where is the share on the linux server
force user = jason
# Should be the name of the user who is responsible for the share.

Thanks for the hint, but the error happens with kinit, so it's not (yet) a samba problem, something with kerberos seems to be wrong. as far as I found at google, something with the "principals" - but I got no idea what I should enter there

* ElCondor pasa *_________________Here I am the victim of my own choices and I'm just starting!

Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question.